Search criteria
4 vulnerabilities by Gleam
CVE-2026-42795 (GCVE-0-2026-42795)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:41 – Updated: 2026-06-02 19:14
VLAI
Title
Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root
Summary
Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball.
The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.
An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.
This issue affects Gleam from 0.10.0-rc1 until 1.17.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gleam-lang/gleam/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42795.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42795 | related |
| https://github.com/gleam-lang/gleam/commit/6435a5… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gleam | Gleam |
Affected:
0.10.0-rc1 , < 1.17.0
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
0.10.0-rc1 , < 1.17.0
(semver)
Affected: c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c , < 6435a5528b9ae0449e2f32be579641ec485f6866 (git) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
v0.10.0-rc1-elixir , < v1.17.0-elixir
(other)
Affected: v0.10.0-rc1-erlang , < v1.17.0-erlang (other) Affected: v0.10.0-rc1-node , < v1.17.0-node (other) Affected: v0.10.0-rc1-node-slim , < v1.17.0-node-slim (other) Affected: v0.10.0-rc1-elixir-slim , < v1.17.0-elixir-slim (other) Affected: v0.10.0-rc1-erlang-slim , < v1.17.0-erlang-slim (other) Affected: v0.10.0-rc1-erlang-alpine , < v1.17.0-erlang-alpine (other) Affected: v0.10.0-rc1-elixir-alpine , < v1.17.0-elixir-alpine (other) Affected: v0.10.0-rc1-node-alpine , < v1.17.0-node-alpine (other) Affected: v0.10.0-rc1-scratch , < v1.17.0-scratch (other) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42795",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:04:06.195456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:04:35.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.10.0-rc1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.10.0-rc1",
"versionType": "semver"
},
{
"lessThan": "6435a5528b9ae0449e2f32be579641ec485f6866",
"status": "affected",
"version": "c82a2d83bd0c06cafdc196820deb3f89a9b3ff7c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/fs.rs",
"compiler-cli/src/publish.rs"
],
"programRoutines": [
{
"name": "compiler_cli::fs::gleam_files"
},
{
"name": "compiler_cli::fs::native_files"
},
{
"name": "compiler_cli::fs::private_files"
},
{
"name": "compiler_cli::publish::project_files"
},
{
"name": "compiler_cli::publish::add_path_to_tar"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.17.0-elixir",
"status": "affected",
"version": "v0.10.0-rc1-elixir",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang",
"status": "affected",
"version": "v0.10.0-rc1-erlang",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node",
"status": "affected",
"version": "v0.10.0-rc1-node",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-slim",
"status": "affected",
"version": "v0.10.0-rc1-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-slim",
"status": "affected",
"version": "v0.10.0-rc1-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-slim",
"status": "affected",
"version": "v0.10.0-rc1-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-alpine",
"status": "affected",
"version": "v0.10.0-rc1-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-alpine",
"status": "affected",
"version": "v0.10.0-rc1-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-alpine",
"status": "affected",
"version": "v0.10.0-rc1-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-scratch",
"status": "affected",
"version": "v0.10.0-rc1-scratch",
"versionType": "other"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.0",
"versionStartIncluding": "0.10.0-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aly (spect3r1)"
},
{
"lang": "en",
"type": "finder",
"value": "Abdelrahman Ahmed Aboelkasem (0x2face)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSymlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\u003c/p\u003e\u003cp\u003eThe file collection helpers (\u003ctt\u003egleam_files\u003c/tt\u003e, \u003ctt\u003enative_files\u003c/tt\u003e, \u003ctt\u003eprivate_files\u003c/tt\u003e) in \u003ctt\u003ecompiler-cli/src/fs.rs\u003c/tt\u003e use \u003ctt\u003efollow_links(true)\u003c/tt\u003e when walking publishable directories such as \u003ctt\u003esrc/\u003c/tt\u003e and \u003ctt\u003epriv/\u003c/tt\u003e. The collected paths are added to the package archive via \u003ctt\u003eadd_path_to_tar\u003c/tt\u003e in \u003ctt\u003ecompiler-cli/src/publish.rs\u003c/tt\u003e without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e or \u003ctt\u003egleam publish\u003c/tt\u003e to embed the contents of the symlink target into the generated Hex package.\u003c/p\u003e\u003cp\u003eAn attacker with write access to the project repository can place a symlink in \u003ctt\u003esrc/\u003c/tt\u003e or \u003ctt\u003epriv/\u003c/tt\u003e pointing to an arbitrary file. When a maintainer or CI pipeline runs \u003ctt\u003egleam publish\u003c/tt\u003e or \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 0.10.0-rc1 until 1.17.0.\u003c/p\u003e"
}
],
"value": "Symlink following vulnerability in Gleam\u0027s Hex package export allows files outside the project root to be embedded in the generated package tarball.\n\nThe file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package.\n\nAn attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact.\n\nThis issue affects Gleam from 0.10.0-rc1 until 1.17.0."
}
],
"impacts": [
{
"capecId": "CAPEC-132",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-132 Symlink Attack"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:25.176Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42795.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42795"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f6866"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Symlink Following in Hex Package Export Allows Embedding Files Outside Project Root",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAvoid running \u003ctt\u003egleam publish\u003c/tt\u003e or \u003ctt\u003egleam export hex-tarball\u003c/tt\u003e on untrusted projects\u003c/li\u003e\u003cli\u003eReview the contents of \u003ctt\u003esrc/\u003c/tt\u003e and \u003ctt\u003epriv/\u003c/tt\u003e for unexpected symlinks before publishing\u003c/li\u003e\u003cli\u003eRun publishing commands in a restricted or isolated environment (e.g. containers)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Avoid running gleam publish or gleam export hex-tarball on untrusted projects\n* Review the contents of src/ and priv/ for unexpected symlinks before publishing\n* Run publishing commands in a restricted or isolated environment (e.g. containers)"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42795",
"datePublished": "2026-06-02T13:41:39.527Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-06-02T19:14:25.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32685 (GCVE-0-2026-32685)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:41 – Updated: 2026-06-02 19:14
VLAI
Title
Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write
Summary
Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.
The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/<package>/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output.
An attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.
This issue affects Gleam from 1.16.0 until 1.17.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/gleam-lang/gleam/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-32685.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-32685 | related |
| https://github.com/gleam-lang/gleam/commit/815706… | patch |
| https://github.com/gleam-lang/gleam/commit/c9230c… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gleam | Gleam |
Affected:
1.16.0 , < 1.17.0
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
1.16.0 , < 1.17.0
(semver)
Affected: 61ed8deb6572b5591ad17d6302c1a38607522f16 , < 81570611906b6b0039c948037094d09a68700f3a (git) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
v1.16.0-elixir , < v1.17.0-elixir
(other)
Affected: v1.16.0-erlang , < v1.17.0-erlang (other) Affected: v1.16.0-node , < v1.17.0-node (other) Affected: v1.16.0-node-slim , < v1.17.0-node-slim (other) Affected: v1.16.0-elixir-slim , < v1.17.0-elixir-slim (other) Affected: v1.16.0-erlang-slim , < v1.17.0-erlang-slim (other) Affected: v1.16.0-erlang-alpine , < v1.17.0-erlang-alpine (other) Affected: v1.16.0-elixir-alpine , < v1.17.0-elixir-alpine (other) Affected: v1.16.0-node-alpine , < v1.17.0-node-alpine (other) Affected: v1.16.0-scratch , < v1.17.0-scratch (other) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32685",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:06:11.916565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:06:40.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-wjx8-7w8m-p4v7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core",
"compiler-cli"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/docs.rs",
"compiler-cli/src/docs.rs",
"compiler-cli/src/fs.rs"
],
"programRoutines": [
{
"name": "compiler_cli::docs::build_project"
},
{
"name": "compiler_core::docs::generate_html"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core",
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/docs.rs",
"compiler-cli/src/docs.rs",
"compiler-cli/src/fs.rs"
],
"programRoutines": [
{
"name": "compiler_cli::docs::build_project"
},
{
"name": "compiler_core::docs::generate_html"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
},
{
"lessThan": "81570611906b6b0039c948037094d09a68700f3a",
"status": "affected",
"version": "61ed8deb6572b5591ad17d6302c1a38607522f16",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core",
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/docs.rs",
"compiler-cli/src/docs.rs",
"compiler-cli/src/fs.rs"
],
"programRoutines": [
{
"name": "compiler_cli::docs::build_project"
},
{
"name": "compiler_core::docs::generate_html"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.17.0-elixir",
"status": "affected",
"version": "v1.16.0-elixir",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang",
"status": "affected",
"version": "v1.16.0-erlang",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node",
"status": "affected",
"version": "v1.16.0-node",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-slim",
"status": "affected",
"version": "v1.16.0-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-slim",
"status": "affected",
"version": "v1.16.0-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-slim",
"status": "affected",
"version": "v1.16.0-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-alpine",
"status": "affected",
"version": "v1.16.0-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-alpine",
"status": "affected",
"version": "v1.16.0-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-alpine",
"status": "affected",
"version": "v1.16.0-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-scratch",
"status": "affected",
"version": "v1.16.0-scratch",
"versionType": "other"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe project must use custom documentation pages via \u003ctt\u003edocumentation.pages\u003c/tt\u003e in \u003ctt\u003egleam.toml\u003c/tt\u003e, and the victim must run \u003ctt\u003egleam docs build\u003c/tt\u003e on an untrusted project or with untrusted \u003ctt\u003egleam.toml\u003c/tt\u003e content. Projects that do not use custom documentation pages are not affected.\u003c/p\u003e"
}
],
"value": "The project must use custom documentation pages via documentation.pages in gleam.toml, and the victim must run gleam docs build on an untrusted project or with untrusted gleam.toml content. Projects that do not use custom documentation pages are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.0",
"versionStartIncluding": "1.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "evipepota"
},
{
"lang": "en",
"type": "remediation developer",
"value": "evipepota"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePath traversal vulnerability in Gleam\u0027s handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003edocumentation.pages\u003c/tt\u003e entries from \u003ctt\u003egleam.toml\u003c/tt\u003e are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The \u003ctt\u003edocumentation.pages[].path\u003c/tt\u003e field can be used to write generated documentation files outside the intended \u003ctt\u003ebuild/dev/docs/\u0026lt;package\u0026gt;/\u003c/tt\u003e output directory. The \u003ctt\u003edocumentation.pages[].source\u003c/tt\u003e field can be used to read files outside the project directory and embed their contents into generated documentation output.\u003c/p\u003e\u003cp\u003eAn attacker who can convince a victim to run \u003ctt\u003egleam docs build\u003c/tt\u003e on an untrusted project, or with untrusted \u003ctt\u003egleam.toml\u003c/tt\u003e content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 1.16.0 until 1.17.0.\u003c/p\u003e"
}
],
"value": "Path traversal vulnerability in Gleam\u0027s handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory.\n\nThe documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/\u003cpackage\u003e/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output.\n\nAn attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory.\n\nThis issue affects Gleam from 1.16.0 until 1.17.0."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
},
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:20.700Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-wjx8-7w8m-p4v7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32685.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32685"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/81570611906b6b0039c948037094d09a68700f3a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/c9230cd3045de8fd8481dae3a4557c0146df1430"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path Traversal in gleam docs build via documentation.pages Allows Arbitrary File Read and Write",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAvoid running \u003ctt\u003egleam docs build\u003c/tt\u003e on untrusted projects\u003c/li\u003e\u003cli\u003eReview \u003ctt\u003edocumentation.pages\u003c/tt\u003e entries in \u003ctt\u003egleam.toml\u003c/tt\u003e before generating documentation\u003c/li\u003e\u003cli\u003eRun documentation generation in a restricted or isolated environment (e.g. containers)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Avoid running gleam docs build on untrusted projects\n* Review documentation.pages entries in gleam.toml before generating documentation\n* Run documentation generation in a restricted or isolated environment (e.g. containers)"
}
],
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32685",
"datePublished": "2026-06-02T13:41:37.885Z",
"dateReserved": "2026-03-13T09:12:14.474Z",
"dateUpdated": "2026-06-02T19:14:20.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43965 (GCVE-0-2026-43965)
Vulnerability from cvelistv5 – Published: 2026-06-02 13:41 – Updated: 2026-06-02 19:14
VLAI
Title
Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion
Summary
Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content.
Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories.
An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted.
This issue affects Gleam from 0.18.0-rc1 until 1.17.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gleam-lang/gleam/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-43965.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-43965 | related |
| https://github.com/gleam-lang/gleam/commit/690ca0… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gleam | Gleam |
Affected:
0.18.0-rc1 , < 1.17.0
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
0.18.0-rc1 , < 1.17.0
(semver)
Affected: ed7aec0484f10d60978b63788c8a6497590855ab , < 690ca069817bee5f77a28fc3e360627c1da19291 (git) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
v0.18.0-rc1-elixir , < v1.17.0-elixir
(other)
Affected: v0.18.0-rc1-erlang , < v1.17.0-erlang (other) Affected: v0.18.0-rc1-node , < v1.17.0-node (other) Affected: v0.18.0-rc1-node-slim , < v1.17.0-node-slim (other) Affected: v0.18.0-rc1-elixir-slim , < v1.17.0-elixir-slim (other) Affected: v0.18.0-rc1-erlang-slim , < v1.17.0-erlang-slim (other) Affected: v0.18.0-rc1-erlang-alpine , < v1.17.0-erlang-alpine (other) Affected: v0.18.0-rc1-elixir-alpine , < v1.17.0-elixir-alpine (other) Affected: v0.18.0-rc1-node-alpine , < v1.17.0-node-alpine (other) Affected: v0.18.0-rc1-scratch , < v1.17.0-scratch (other) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43965",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T15:07:44.667204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:08:13.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-jqvf-f6p2-wrv3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/dependencies.rs"
],
"programRoutines": [
{
"name": "compiler_cli::dependencies::remove_extra_packages"
},
{
"name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
},
{
"name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.18.0-rc1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/dependencies.rs"
],
"programRoutines": [
{
"name": "compiler_cli::dependencies::remove_extra_packages"
},
{
"name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
},
{
"name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"lessThan": "1.17.0",
"status": "affected",
"version": "0.18.0-rc1",
"versionType": "semver"
},
{
"lessThan": "690ca069817bee5f77a28fc3e360627c1da19291",
"status": "affected",
"version": "ed7aec0484f10d60978b63788c8a6497590855ab",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-cli"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-cli/src/dependencies.rs"
],
"programRoutines": [
{
"name": "compiler_cli::dependencies::remove_extra_packages"
},
{
"name": "compiler_cli::dependencies::LocalPackages::read_from_disc"
},
{
"name": "compiler_cli::dependencies::LocalPackages::extra_local_packages"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.17.0-elixir",
"status": "affected",
"version": "v0.18.0-rc1-elixir",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang",
"status": "affected",
"version": "v0.18.0-rc1-erlang",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node",
"status": "affected",
"version": "v0.18.0-rc1-node",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-slim",
"status": "affected",
"version": "v0.18.0-rc1-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-slim",
"status": "affected",
"version": "v0.18.0-rc1-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-slim",
"status": "affected",
"version": "v0.18.0-rc1-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.17.0-erlang-alpine",
"status": "affected",
"version": "v0.18.0-rc1-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-elixir-alpine",
"status": "affected",
"version": "v0.18.0-rc1-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-node-alpine",
"status": "affected",
"version": "v0.18.0-rc1-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.17.0-scratch",
"status": "affected",
"version": "v0.18.0-rc1-scratch",
"versionType": "other"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.0",
"versionStartIncluding": "0.18.0-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aly (spect3r1)"
},
{
"lang": "en",
"type": "finder",
"value": "Abdelrahman Ahmed Aboelkasem (0x2face)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePath traversal vulnerability in Gleam\u0027s dependency management allows arbitrary directory deletion via malicious \u003ctt\u003ebuild/packages/packages.toml\u003c/tt\u003e content.\u003c/p\u003e\u003cp\u003ePackage keys read from \u003ctt\u003ebuild/packages/packages.toml\u003c/tt\u003e by \u003ctt\u003eLocalPackages::read_from_disc\u003c/tt\u003e are passed without validation to \u003ctt\u003epaths.build_packages_package()\u003c/tt\u003e, which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to \u003ctt\u003efs::delete_directory\u003c/tt\u003e (which calls \u003ctt\u003eremove_dir_all\u003c/tt\u003e). No check is performed to ensure the path remains within the intended \u003ctt\u003ebuild/packages/\u003c/tt\u003e directory. Both absolute paths and relative traversal sequences (e.g. \u003ctt\u003e../\u003c/tt\u003e) are accepted as package keys, allowing deletion of arbitrary directories.\u003c/p\u003e\u003cp\u003eAn attacker who can cause a victim to run \u003ctt\u003egleam deps download\u003c/tt\u003e on a project containing a malicious \u003ctt\u003ebuild/packages/packages.toml\u003c/tt\u003e (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim\u0027s system to be recursively deleted.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 0.18.0-rc1 until 1.17.0.\u003c/p\u003e"
}
],
"value": "Path traversal vulnerability in Gleam\u0027s dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content.\n\nPackage keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories.\n\nAn attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim\u0027s system to be recursively deleted.\n\nThis issue affects Gleam from 0.18.0-rc1 until 1.17.0."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
},
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T19:14:19.113Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-jqvf-f6p2-wrv3"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43965.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43965"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/690ca069817bee5f77a28fc3e360627c1da19291"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path Traversal in build/packages/packages.toml Allows Arbitrary Directory Deletion",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43965",
"datePublished": "2026-06-02T13:41:37.421Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-06-02T19:14:19.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32146 (GCVE-0-2026-32146)
Vulnerability from cvelistv5 – Published: 2026-04-11 12:59 – Updated: 2026-05-27 15:41
VLAI
Title
Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification
Summary
Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download.
Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation.
This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.
This issue affects Gleam from 1.9.0-rc1 until 1.15.4.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/gleam-lang/gleam/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-32146.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-32146 | related |
| https://github.com/gleam-lang/gleam/commit/1aa5d8… | patch |
| https://github.com/gleam-lang/gleam/commit/2dc046… | patch |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Gleam | Gleam |
Affected:
1.9.0-rc1 , < *
(semver)
cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
1.9.0-rc1 , < *
(semver)
Affected: a4fde22445ab8e5cc79c2ff48971616cb570702c , < * (git) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
|
| Gleam | Gleam |
Affected:
v1.9.0-rc1-elixir , < v1.15.4-elixir
(other)
Affected: v1.9.0-rc1-erlang , < v1.15.4-erlang (other) Affected: v1.9.0-rc1-node , < v1.15.4-node (other) Affected: v1.9.0-rc1-node-slim , < v1.15.4-node-slim (other) Affected: v1.9.0-rc1-elixir-slim , < v1.15.4-elixir-slim (other) Affected: v1.9.0-rc1-erlang-slim , < v1.15.4-erlang-slim (other) Affected: v1.9.0-rc1-erlang-alpine , < v1.15.4-erlang-alpine (other) Affected: v1.9.0-rc1-elixir-alpine , < v1.15.4-elixir-alpine (other) Affected: v1.9.0-rc1-node-alpine , < v1.15.4-node-alpine (other) Affected: v1.9.0-rc1-scratch , < v1.15.4-scratch (other) cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32146",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T17:44:39.043742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T17:44:51.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core"
],
"packageName": "gleam",
"packageURL": "pkg:sid/gleam.run/gleam",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/manifest.rs"
],
"programRoutines": [
{
"name": "compiler_core::config::dependencies_map::deserialize"
},
{
"name": "compiler_core::config::package_name::deserialize"
}
],
"vendor": "Gleam",
"versions": [
{
"changes": [
{
"at": "1.15.4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.9.0-rc1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:github/gleam-lang/gleam",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/manifest.rs"
],
"programRoutines": [
{
"name": "compiler_core::config::dependencies_map::deserialize"
},
{
"name": "compiler_core::config::package_name::deserialize"
}
],
"repo": "https://github.com/gleam-lang/gleam",
"vendor": "Gleam",
"versions": [
{
"changes": [
{
"at": "1.15.4",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "1.9.0-rc1",
"versionType": "semver"
},
{
"changes": [
{
"at": "92aae3913570e8d8962f6399404777d313045bfa",
"status": "unaffected"
},
{
"at": "2dc0467f822c75de94697a912755d172928ee40a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "a4fde22445ab8e5cc79c2ff48971616cb570702c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://ghcr.io",
"cpes": [
"cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"compiler-core"
],
"packageName": "gleam-lang/gleam",
"packageURL": "pkg:oci/gleam?repository_url=ghcr.io/gleam-lang",
"product": "Gleam",
"programFiles": [
"compiler-core/src/config.rs",
"compiler-core/src/manifest.rs"
],
"programRoutines": [
{
"name": "compiler_core::config::dependencies_map::deserialize"
},
{
"name": "compiler_core::config::package_name::deserialize"
}
],
"vendor": "Gleam",
"versions": [
{
"lessThan": "v1.15.4-elixir",
"status": "affected",
"version": "v1.9.0-rc1-elixir",
"versionType": "other"
},
{
"lessThan": "v1.15.4-erlang",
"status": "affected",
"version": "v1.9.0-rc1-erlang",
"versionType": "other"
},
{
"lessThan": "v1.15.4-node",
"status": "affected",
"version": "v1.9.0-rc1-node",
"versionType": "other"
},
{
"lessThan": "v1.15.4-node-slim",
"status": "affected",
"version": "v1.9.0-rc1-node-slim",
"versionType": "other"
},
{
"lessThan": "v1.15.4-elixir-slim",
"status": "affected",
"version": "v1.9.0-rc1-elixir-slim",
"versionType": "other"
},
{
"lessThan": "v1.15.4-erlang-slim",
"status": "affected",
"version": "v1.9.0-rc1-erlang-slim",
"versionType": "other"
},
{
"lessThan": "v1.15.4-erlang-alpine",
"status": "affected",
"version": "v1.9.0-rc1-erlang-alpine",
"versionType": "other"
},
{
"lessThan": "v1.15.4-elixir-alpine",
"status": "affected",
"version": "v1.9.0-rc1-elixir-alpine",
"versionType": "other"
},
{
"lessThan": "v1.15.4-node-alpine",
"status": "affected",
"version": "v1.9.0-rc1-node-alpine",
"versionType": "other"
},
{
"lessThan": "v1.15.4-scratch",
"status": "affected",
"version": "v1.9.0-rc1-scratch",
"versionType": "other"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe project must use git-based dependencies (direct or transitive), or the victim must run \u003ctt\u003egleam deps download\u003c/tt\u003e on a repository with a malicious \u003ctt\u003emanifest.toml\u003c/tt\u003e lockfile. Projects that exclusively use Hex dependencies and do not clone untrusted repositories are not affected.\u003c/p\u003e\u003cp\u003eProjects that exclusively use trusted or personally controlled git dependencies, or dependencies pinned to verified commit SHAs, are not exposed.\u003c/p\u003e"
}
],
"value": "The project must use git-based dependencies (direct or transitive), or the victim must run gleam deps download on a repository with a malicious manifest.toml lockfile. Projects that exclusively use Hex dependencies and do not clone untrusted repositories are not affected.\n\nProjects that exclusively use trusted or personally controlled git dependencies, or dependencies pinned to verified commit SHAs, are not exposed."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gleam-lang:gleam:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.15.4",
"versionStartIncluding": "1.9.0-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "John Downey"
},
{
"lang": "en",
"type": "analyst",
"value": "Louis Pilfold"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper path validation vulnerability in the Gleam compiler\u0027s handling of git dependencies allows arbitrary file system modification during dependency download.\u003cp\u003eDependency names from \u003ctt\u003egleam.toml\u003c/tt\u003e and \u003ctt\u003emanifest.toml\u003c/tt\u003e are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as \u003ctt\u003e../\u003c/tt\u003e or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via \u003ctt\u003egleam deps download\u003c/tt\u003e), the computed path is used for filesystem operations including directory deletion and creation.\u003c/p\u003e\u003cp\u003eThis vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.\u003c/p\u003e\u003cp\u003eThis issue affects Gleam from 1.9.0-rc1 until 1.15.4.\u003c/p\u003e"
}
],
"value": "Improper path validation vulnerability in the Gleam compiler\u0027s handling of git dependencies allows arbitrary file system modification during dependency download.\n\nDependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation.\n\nThis vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.\n\nThis issue affects Gleam from 1.9.0-rc1 until 1.15.4."
}
],
"impacts": [
{
"capecId": "CAPEC-139",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-139 Relative Path Traversal"
}
]
},
{
"capecId": "CAPEC-597",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-597 Absolute Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:41:03.772Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32146.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32146"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gleam-lang/gleam/commit/2dc0467f822c75de94697a912755d172928ee40a"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpgrade to Gleam 1.15.4 or later.\u003c/p\u003e\u003cp\u003eBoth patches must be applied: the original incomplete fix (\u003ctt\u003e1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf\u003c/tt\u003e, backported as \u003ctt\u003e55bb36e6d7febfbbc48c4d001e0ae13eb0312d78\u003c/tt\u003e to 1.15) and the follow-up fix (\u003ctt\u003e2dc0467f822c75de94697a912755d172928ee40a\u003c/tt\u003e, backported as \u003ctt\u003e92aae3913570e8d8962f6399404777d313045bfa\u003c/tt\u003e to 1.15). Gleam 1.15.4 includes both.\u003c/p\u003e"
}
],
"value": "Upgrade to Gleam 1.15.4 or later.\n\nBoth patches must be applied: the original incomplete fix (1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf, backported as 55bb36e6d7febfbbc48c4d001e0ae13eb0312d78 to 1.15) and the follow-up fix (2dc0467f822c75de94697a912755d172928ee40a, backported as 92aae3913570e8d8962f6399404777d313045bfa to 1.15). Gleam 1.15.4 includes both."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eAvoid using untrusted git dependencies, especially without pinning to a specific commit SHA\u003c/li\u003e\u003cli\u003eReview dependency trees carefully, including transitive git dependencies\u003c/li\u003e\u003cli\u003eRun dependency resolution commands in a restricted or isolated environment (e.g. containers)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Avoid using untrusted git dependencies, especially without pinning to a specific commit SHA\n* Review dependency trees carefully, including transitive git dependencies\n* Run dependency resolution commands in a restricted or isolated environment (e.g. containers)"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32146",
"datePublished": "2026-04-11T12:59:22.911Z",
"dateReserved": "2026-03-10T22:37:29.213Z",
"dateUpdated": "2026-05-27T15:41:03.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}